networking
articles
- a quic look at http/3
- a visual guide to ssh tunnels
- dns over tls vs. dns over https
- encrypted sni
- how to route all internet traffic through tor?
- http/3 explained
- learn with me: vlans & pfsense
- start your own isp
- ysk about firewalls and how they work
- store frequencies
- im-me specturm analyzer
- gps
- scanning malls (radios)
- reverse engineering smart meters
bluetooth
hardware
- router: connects subnets and translates addresses
- routers dont allow broadcasts between subnets
- hub: sends packets to all ports
- switch: sends packets to the one (physical) port where the recipient of the packet is
- cam table - maps mac addresses to (physical) ports in a switch
- how does it build it? laptop sends out dhcp request with source mac address, and switch sees it and adds it to cam table
- If you mac flood a switch (overflow the cam table), it changes to hub mode
- switch is layer 2, doesnt care about ip addresses
- cam table - maps mac addresses to (physical) ports in a switch
- access point: like a hub, but wiresless. the packets get forwarded to every device (since you can't send waves to just one device), your computer knows to ignore packets thats not for you
- unless you put your network card in promiscuous mode
mac Spoofing is a thing.
7-layer model
1 - physical (802.11, 802.3)
2 - link
- ethernet, tokenring, arp [frame]
DST MAC (6bytes), SRC MAC (6), TYPE (2)- destination first so you know if it's for you or not (unless you're in promiscuous modes)
- ethernet can go over any physical thing
- broadcast address is all 1s: all =f=s or 256
ARP=/=RARP(reverse)PHY ADDR (6) (DST, SRC), LOG ADDR (4) (DST, SRC), OPCODEPHY- MACLOG- IP
- only fill in 3 fields
ARPpoisoning - continually send out packets- tell victim that you're the gateway
- tell gateway that you're the victim
- avoid this by only listening to the dhcp port (or set it manually if no dhcp
arp -a=/=ip neigh(bor)
3 - network
- ip, ipv6 [packet]
- ip packet
- Header:
SRC IP, DST IP, TTL, Length, Frag, Proto, Checksum, Header LengthFrag: fragmentationProto: protocal tells you whether it's ICMP, TCP, etc.Header Length: you multiply it by 4 (which is why it needs to be in multiples of 4)- ipv4 header must be at least 20 bytes, can be more in multiples of 4, adding on additional options fields
TTL: different for every operating system
- Header:
traceroute- windows: ICMP
echorequest - mac: UDP
- linux: TCP
- windows: ICMP
ICMP- used for error reporting
- has no port, since ports are used to tell what process to send it to. icmp just gets sent to the kernel.
- ip packet
4 - transport
- icmp, tcp, udp
- tcp packet
SYN,SYN/ACK,ACK(could also beSYN,SYN,ACK,ACK)- other flags:
RSTclear this from your connection table,FINat the end of the whole session to stop,URGurgent,PSHsending unrequested data
- header:
Length, Checksum, DST Port, SRC Port, Seq number, Flags(not in that order)Checksumis a bit operation that has more collisions than a hash. very fast to do on hardware
- tcp packet
protcols
dns
dig- a dns tool
general use
→ dig alex-bellon.com ; <<>> DiG 9.14.6 <<>> alex-bellon.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64475 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;alex-bellon.com. IN A ;; ANSWER SECTION: alex-bellon.com. 3600 IN A 216.239.32.21 alex-bellon.com. 3600 IN A 216.239.36.21 alex-bellon.com. 3600 IN A 216.239.34.21 alex-bellon.com. 3600 IN A 216.239.38.21 ;; Query time: 28 msec ;; SERVER: 128.83.185.41#53(128.83.185.41) ;; WHEN: Tue Nov 12 17:51:32 CST 2019 ;; MSG SIZE rcvd: 108
Shorter Answer
→ dig +short alex-bellon.com 216.239.36.21 216.239.38.21 216.239.32.21 216.239.34.21
Nameserver Details
→ dig ns +short alex-bellon.com ns-cloud-a1.googledomains.com. ns-cloud-a3.googledomains.com. ns-cloud-a4.googledomains.com. ns-cloud-a2.googledomains.com.
Use a different DNS server
→ dig alex-bellon.com @1.1.1.1
Reverse DNS Lookup
→ dig -x 8.8.8.8
reverse proxy
tools
- awesome-waf - everything awesome about web-application firewalls (waf)
- brim - desktop application to efficiently search large packet captures and zeek logs.
- broxy - an http/https intercept proxy written in go.
iprepd- centralized ip reputation daemoniptables- redhat guide to
iptables - look in
ccdc/firewalls/iptables.md
- redhat guide to
- milkman - a request/response workbench
- ngrok - ngrok is a reverse proxy that creates a secure tunnel from a public endpoint to a locally running web service. ngrok captures and analyzes all traffic over the tunnel for later inspection and replay.
- opensnitch - host-based application firewall
- ptunnel - tunnel connections through https proxy
- ptunnel-ng - tunnel tcp connections through icmp
- ssl configuration generator
vpn
vpn tunneling
- zerotier
- zerotier allows you to directly connect from your machine to another remote machine on another network, and it "punches through" firewalls, nats, etc. to make a direct connection. you are given a 10 digit
zerotier addressfor your node, and in order to connect to other networks you need its corresponding 16 digitnetwork id. this allows you to create mesh networks across a bunch of machines and networks. - zerotier linux gui
- zerotier allows you to directly connect from your machine to another remote machine on another network, and it "punches through" firewalls, nats, etc. to make a direct connection. you are given a 10 digit